The Rocky Mountain Information Security Conference is expanding this year to acknowledge the growing presence of privacy law in the cybersecurity world. The conference, which drew around 1,300 attendees last year, will add a free privacy forum.
The privacy forum will include speakers from law firms Husch Blackwell, Ballard Spahr, K&O, and SK&S legal as well as in-house counsel from Western Union and Velocity Global and speakers from local and international nonlegal entities such as Pulte Mortgage, American Cybersecurity Management and RISMA Systems and the International Association of Privacy Professionals.
“The community is small here in Denver in the area around privacy. There are about 350 IAPP members registered in Colorado,” said Carlin Dornbusch, president of American Cyber Security Management and one of the forum’s organizers. “This is a great way to get half of the people deep into this industry all in one room.”
The event will include panels focused on privacy by design, an update on the EU’s General Data Privacy Regulation and a rundown of proposed changes to the California Consumer Privacy Act among other sessions.
“Privacy has been dormant from the legality perspective for several years, especially in U.S. until you have a compelling event with GDPR starting to impact U.S. companies and the sheer volume of breaches,” Dornbusch said. Last year there were over 2,200 breaches at publicly registered companies, he said, and while that number might have gone down, the total number of records involved has gone way up, thanks in large part to the Mariott breach that affected as many as 500 million people.
One of the conference’s organizers, Alex Wood, vice president of information security at Pulte Financial Services and board member of the Information Systems Security Association’s Denver chapter, said privacy’s growth as an issue for businesses has pushed it to greater prominence for the conference. “The biggest catalysts have been GDPR — that really moved from being a legal and regulatory component to really having a bigger focus in security community as well — and also now with the California Consumer Privacy Act and other states following that, there’s even more weight behind that topic.”
Those two topics will be major focuses of the privacy forum, and the forum’s other organizers gave some advance insight into what is on their minds regarding those areas.
Lessons from GDPR
Although the GDPR has been in place for one full year now, there are still lessons to be learned, growing pains to wait through and practical effects to stay apprised of.
While many U.S. companies are effected by GDPR and got in compliance with the regulation in advance of, or shortly after, its implementation, some companies still haven’t fully implemented GDPR protections or have but now have to re-inventory their business after changes within the past year, Dornbusch said.
And some companies that are in compliance are now looking for efficient ways to stay in compliance. For instance, a company might have hired consultants to help get ahead of the regulation, but now it might be looking for compliance rules to automate some of the processes that need to be done frequently. And many vendors are jumping into that space by developing and selling technology to help with that, such as the access request process, data discovery or encryption.
And regardless of whether U.S. companies must comply with GDPR, the regulation provides useful best practices, he said. For instance, one of the main takeaways from GDPR is the practice of data minimization.
“You should only be collecting the data you need to run a business process,” Dornbusch said. “American companies are struggling with that. Europeans feel they have an inherent right to privacy, but it’s much different in the U.S.”
Dornbusch suggested companies stop and think about the data they collect and store and consider the impact of someone else coming to possess that. The less information a business has, the less risk it has, he said.
Going forward, Dornbusch also said companies should stay patient and realize it takes time for European regulators to get up to speed with everything that has happened since GDPR’s implementation as well. Regulators are being inundated with requests, and in some cases, the system is being abused. Dornbusch referenced a couple instances where abuse might occur — such as ex-employees of a company using the discovery process to attempt to collect their personnel information or businesses seeing enforcement for accidental violations, such as one company that used a security camera to monitor its business but that also accidentally included a view of passersby on the street.
“I think we’ll continue to see interpretations and penalties come down and how the various [Data Privacy Authorities] want to enforce those things,” Dornbusch said.
Stateside Developments
While GDPR might be old news for many in the privacy world, one major ongoing development is in the California Consumer Protection Act as well as similar laws that have been or will be proposed throughout the U.S.
Similar to the GDPR, California’s law will require compliance from companies across the U.S. It also might include some best practices or insight into regulations that will eventually be adopted in other states or even by the federal government.
California’s law will go into effect at the beginning of next year and between now and then might continue to be developed with proposed bills that add nuance to the new law.
At the beginning of this year’s legislative session, California saw about 20 new bills introduced that touched on that law in some way. And while those bills are being whittled down over time to leave the CCPA largely the same, there is still much to learn from how the state attorney general crafts regulations and provides interpretations on the law.
“The CCPA is all-consuming. Clients are incredibly interested in it,” Husch Blackwell partner David Stauss said. He said no bills have gotten through California’s legislature yet, so right now, the legislative session is almost more notable for what hasn’t changed in the CCPA rather than what has.
Stauss said one proposed bill would have expanded the private right of action to include not just data breaches but privacy rights as well, giving individuals the ability to submit requests to access data, opt out of sales information and more — what he described as a “plaintiff lawyer’s paradise.”
“I never thought it was going to [pass], but there was sort of a sigh of relief that it didn’t,” Stauss said.
Stauss said there are several other aspects of the law that were in question included whether employees — in addition to consumers — were covered by the CCPA, definitions for “reasonable security” expected from companies and including a non-discrimination provision.
In addition to California’s regulation, Stauss said he’s been watching legislative developments in other states as well. And while Washington state was the only to come close to passing other regulations — its proposed law failed in its House of Representatives after passing the state Senate — there were more proposed bills than expected at the beginning of the year. “Washington had a very different approach from CCPA, and a lot of states had state reps who took the CCPA and copied and pasted it and submitted it as proposed legislation in their state,” Stauss said. “But when you consider CCPA has a lot of problems and is under the gun of amendments and attorney general interpretation, the fact that cooler minds prevailed is a good thing.”
— Tony Flesor